Bump express to 4.16.2 to address forwarded vulnerability

[tancnle]

• Operating System: MacOS 10.13.1
• Node Version: 8.9.1
• NPM Version: 5.5.1
• webpack Version:
• webpack-dev-server Version: 2.9.4

• This is a bug
• This is a feature request
• This is a modification request

Our most recent sourceclear scan (https://www.sourceclear.com/) has revealed a vulnerability in forwarded library which can cause regular expression denial of service (ReDoS). A flaw when the x-forwarded-for header is parsed causes the event loop to be blocked. To mitigate this, we need to bump forwarded to 0.1.2.

Dependency tree for express, before:

webpack-dev-server@2.9.4
└─┬ express@4.15.4
  └─┬ proxy-addr@1.1.5
    └── forwarded@0.1.1

after:

webpack-dev-server@2.9.4
└─┬ express@4.16.2
  └─┬ proxy-addr@2.0.2
    └── forwarded@0.1.2

[shellscape]

@tancnle thanks for checking in. I'd recommend you check out nsp versus sourceclear. NSP is picking up 11 similar vulnerabilities. however, it's important to note that webpack-dev-server is only meant to be run locally, and temporarily for the purpose of debugging. unless you're planning on attacking your own machine, you're not in much danger from the current list.

[tancnle]

@shellscape Fair point. With that in mind, this is more of less of dependency bumps to keep things up-to-dated. I guess we can close it in favour of larger update later on.

[shellscape]

I'm actually going to reopen this so we can track it in a change to come, and make sure you get credit for the original report in the commit 🍻